From 11ff107a853f9ef6ad31ac6e3ed0f15fb8ada27f Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Thu, 11 Jul 2019 15:26:50 +0800 Subject: cryptsetup: set the default luks format to LUKS1 The cryptsetup 2.1 uses LUKS2 format as the default LUKS format. This change introduced the following issues: * LUKS2 requires kernel userspace crypto API to be available (CONFIG_CRYPTO_USER_API and CONFIG_CRYPTO_USER_API_SKCIPHER). But linux-yocto doesn't enable these options by default. If missing these kernel modules, the cryptsetup will fall back to using dmcrypt-device for keyslot processing. $ cryptsetup --debug --type luks luksFormat /dev/sda3 [snip] Checking if cipher aes-xts-plain64 is usable. Userspace crypto wrapper cannot use aes-xts-plain64 (-95). Using dmcrypt to access keyslot area. [snip] * The grub can not decrypt a LUKS2 encrypted boot partition because it doesn't support LUKS2 now. See grub bug: https://savannah.gnu.org/bugs/?55093 Add a PACKAGCONFIG for luks format and set the default LUKS format to LUKS1. The users can specify '--type luks2' in cryptsetup command line if they want to use LUKS2. Signed-off-by: Yi Zhao Signed-off-by: Khem Raj --- meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.1.0.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.1.0.bb b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.1.0.bb index a500b18986..deaede8578 100644 --- a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.1.0.bb +++ b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.1.0.bb @@ -65,6 +65,7 @@ PACKAGECONFIG[gcrypt] = "--with-crypto_backend=gcrypt,,libgcrypt" PACKAGECONFIG[nss] = "--with-crypto_backend=nss,,nss" PACKAGECONFIG[kernel] = "--with-crypto_backend=kernel" PACKAGECONFIG[nettle] = "--with-crypto_backend=nettle,,nettle" +PACKAGECONFIG[luks2] = "--with-default-luks-format=LUKS2,--with-default-luks-format=LUKS1" RRECOMMENDS_${PN} = "kernel-module-aes-generic \ kernel-module-dm-crypt \ -- cgit 1.2.3-korg